kcshell: assembly/disassembly shell
2017-04-08 22:11:42 by rui
I was a bit bored of switching between metasm_shell and nasm_shell every time I had to play with assembly instructions and opcodes during exploit development or reversing code. Also, switching between x86 and x64 wasn't possible. Since I was already playing with the triforce Keystone, Capstone and Unicorn Python bindings, in a different project, I decided to write a small interactive assembly/disassembly shell for various architectures powered by Keystone/Capstone.
It's extremely easy to use, and install. To install just type:
pip3 install kcshell
You may be wondering, pip3? Yes, I wrote it in Python3 and I really didn't care about Python2. Why? Well, Python2 will be unsuported in more or less 3 years, so I decided to use Python3.
By default kcshell starts in 'assembler' mode (x86 32 bits). You can change modes with 'setmode'.
$ kcshell -=[ kcshell 0.0.1 ]=- Default Assembler architecture is x86 (32 bits) asm> lsmodes disasm, asm asm> setmode disasm Default Disassembler architecture is x86 (32 bits) disasm>
You can also change the default architecture for both the 'assembler' and 'disassembler' with 'setarch'.
disasm> lsarchs x86, mips32, arm_t, x64, arm, x16, arm64, mips64 disasm> setarch x64 Disassembler architecture is now x64 disasm>
To assemble instructions just type the instructions in the command line.
asm> jmp esp "\xff\xe4" asm> xor eax, eax "\x31\xc0" asm> jmp -500 "\xe9\x07\xfe\xff\xff" asm> add esp,-1500 "\x81\xc4\x24\xfa\xff\xff" asm> xor ecx,ecx ; mov ch, 0xc8 ; mov esi, edi ; mov edi, esp ; rep movsb "\x31\xc9\xb5\xc8\x89\xfe\x89\xe7\xf3\xa4" asm> setarch x64 Assembler architecture is now x64 asm> inc rax "\x48\xff\xc0" asm>
To go from opcodes to instructions just type them in the command line.
disasm> \xff\xe4 0x00400000: jmp esp disasm> \x31\xc0 0x00400000: xor eax, eax disasm> \x31\xc9\xb5\xc8\x89\xfe\x89\xe7\xf3\xa4 0x00400000: xor ecx, ecx 0x00400002: mov ch, 0xc8 0x00400004: mov esi, edi 0x00400006: mov edi, esp 0x00400008: rep movsb byte ptr es:[edi], byte ptr [esi] disasm> setarch x64 Disassembler architecture is now x64 disasm> \x48\xff\xc0 0x00400000: inc rax disasm>
For help just use '?' or 'help
asm> ? Documented commands (type help <topic>): ======================================== EOF exit help lsarchs lsmodes quit setarch setmode asm> help lsmodes Lists current operational modes available. asm> help lsarchs List supported Assembler architectures. asm> help setarch Set Assembler architecture. To list available options type 'lsarchs'. asm> help setmode Sets 'kcshell' operational mode. For available options run 'lsmodes'. asm> lsarchs systemz, hexagon, arm, arm64, ppc32, mips32, sparc, x64, x16, sparc64, arm_t, x86, mips64, ppc64
To list all the supported architectures just go to the desired mode and use 'lsarchs'.
asm> lsarchs mips64, sparc64, sparc, arm_t, x64, x16, arm64, hexagon, systemz, mips32, ppc64, x86, arm, ppc32 asm> lsmodes asm, disasm asm> setmode disasm Default Disassembler architecture is x86 (32 bits) disasm> lsarchs mips64, x16, arm64, mips32, arm_t, x86, arm, x64 disasm>
I plan to implement a feature to read assembly instructions or opcodes from files soon. So if you find kcshell useful just keep an eye on github. In the meantime, have fun.